Article excerpt

INCORPORATING RISK INTO CORPORATE STRATEGY

Risk management should be part of every organization's corporate strategy (Anderson, 2006). The incorporation of risk should include more than just the "Black Swan" (Taleb, 2007) catastrophic events which can cripple an organization but also those relatively minor events which can hurt the effectiveness of day to day operations. The results of proper risk analysis includes more than reducing the negative impact of risks, they also include identifying the risk tolerance and risk appetite so that an organization can make better strategic decisions moving forward (RIMS Executive Report 2012).

Most risk management applies a qualitative matrix analysis using impact and probably (Dumbrava 2013). There has been some concern about the use of matrixes to quantify and qualify risk (Cox 2008) especially when organizations are being asked to evaluate an unknown sometime in the future. However, the use of risk matrices in strategic planning can be improved be adding a third factor, the element of "time" in risk analysis. This concept has been long recognized. The ancient Chinese philosopher Lao Tzu wrote, "The biggest problem in the world could have been solved when it was small." (italics added) (Bynner 1944). Organizations develop plans for implementation of strategy based on short term and long term planning. Therefore, for risk analysis to best assist an organization's corporate strategy it has to look at how the probability of an event changes over time. While some events may have a low probability in the short term, such as interest rates rising substantially, in the long term the probability of such risk may increase. Therefore, an improved risk analysis includes the matrices of impact, probability and time. More importantly, improved risk management includes a matrix of organizational procedures and processes to reduce risk.

RISKING THE ORGANIZATION'S EXISTENCE

Many will argue that those Black Swan events, which could completely change an organization, cannot be adequately planned for simply because they are so rare and unforeseeable. Clearly, few could have predicted the development of the internet or the fall of the Soviet Union (Taleb 2007). But we only have to take a small step away from those atypical occurrences to find events with significant impact that an organization could have foreseen and planned for. All high risks that threaten the existence of the organization must be assessed.

Corporations around the world have experienced many risk management failures in recent years (OECD 2014). Chipotle, Target, Volkswagen and Takata are just a few of the many examples of businesses that have experienced high impact events that have significantly harmed the company. In each case, a more comprehensive risk management plan could have reduced the immediate impact and provided a strategy to mitigate further losses.

Chipotle

Chipotle is a chain of 1900 restaurants employing 45,000 people with a reputation for serving quality Mexican fast food. The chain built its reputation primarily with its focus on serving very fresh, organic vegetables. However, that reputation and the very existence of the company, was severely damaged in 2015 when many Chipotle customers in a number of states became ill from E. coli poisoning and salmonella. Shortly after the E. coli problems started a Chipotle restaurant in Boston was found to be the source of the norovirus infection in approximately 140 customers. With the Center for Disease Control investigating the harm to customers, some local health departments closing Chipotles, and lawsuits filed against the chain by sickened customers, the continued existence of the company was threatened. In the last quarter of 2015 Chipotle profits were down 44% and as a result the value of its stock dropped more than 30%. It had lost the reputation for quality that it had built over 20 years in just a few months. Could Chipotle have had better risk assessment and processes in place to prevent this hazard? …